Skillv1.0.1

ClawScan security

Linkedin Profile Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 28, 2026, 4:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (auditing and correcting LinkedIn entries via Playwright) matches the resources it requests, but important operational and safety details are vague or potentially risky—especially live edits via a browser CDP connection and unspecified file writes—so proceed with caution.
Guidance: This skill is coherent with its stated purpose (it legitimately needs node + Playwright to automate a logged-in browser), but it operates on sensitive, live data and can write changes directly to your LinkedIn profile. Before installing or running it: (1) demand an explicit confirmation/preview step be added that requires you to approve all proposed edits before any live writes; (2) ask where extracted profile data will be saved and insist on a safe, reviewable path (and consider encrypted storage or ephemeral/temp files); (3) understand that attaching to a local CDP session gives the script programmatic access to your browser state (DOM, cookies, localStorage) even if the author promises not to exfiltrate tokens—treat this as sensitive; (4) test on a disposable or test LinkedIn account first; (5) if you cannot inspect the exact Playwright script the agent will run, do not allow autonomous invocation to perform writes. If the publisher can provide the Playwright scripts (or an explicit confirmation flow) and a clear file path policy, the risk would be much lower.

Review Dimensions

Purpose & Capability: noteThe name/description align with the declared requirements: node + Playwright CDP-driven browser automation is a reasonable way to read and edit LinkedIn profiles. There are no unrelated env vars or external service credentials requested, which fits the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent to connect to a local Chrome session via Playwright CDP, batch-extract profile descriptions, write results to a local file, ask targeted clarification questions, then apply batch corrections live. This is within the advertised scope, but the doc does not (a) specify explicit user confirmation/approval before performing live edits, (b) constrain or document the local file path for extracted data, or (c) acknowledge that Playwright CDP commands inherently have access to page state (DOM, cookies, localStorage). The skill asserts it won't extract session tokens, but the runtime actions described could access sensitive browser state if implemented that way.
Install Mechanism: okInstruction-only skill with no install spec and a single binary requirement (node). This is low-risk from an install perspective—nothing is downloaded or written by an installer as part of the skill bundle.
Credentials: noteThe skill requests no environment variables or external credentials, which is proportionate. However, its operation depends on attaching to the user's browser CDP session; that connection grants programmatic access to the browser's authenticated LinkedIn session (and therefore cookies/session state) even if the SKILL.md claims no tokens are transmitted. That capability is necessary for the stated purpose but is sensitive and should be treated as such.
Persistence & Privilege: concernalways is false (good). But the skill's instructions call for performing live changes to the user's LinkedIn profile via automation. The doc does not require explicit, granular confirmation before making edits (it only describes targeted clarification questions), which raises the risk of unintended modifications if the agent acts autonomously. Autonomous invocation itself is platform-default; the real issue is the lack of an explicit confirm/preview/apply safety step and unspecified file write locations.